Amid cyber threats and risks through the COVID pandemic, CISOs report that boards are listening and stepping up with increased budget for cyber security. Most, 91 per cent agree that the board adequately supports them with investment, according to a study for a privileged access management (PAM) product company.
However, CISOs have their work cut out to gain a board’s support. A third or more (37pc) of participants’ proposed investments were turned down because the threat was perceived as low risk or because the technology had a lack of demonstrable ROI. One third (33pc) believe senior management does not comprehend the scale of threat when making cyber security investment decisions.
CISOs’ own approaches to buying decisions are forward looking as they try to keep up with industry developments and their sector peers. There are, however, signs that UK boards are more risk averse than their US counterparts. Over half of UK decision makers (51%) describe their organisations as ‘in the pack’. By contrast nearly half of US respondents (47pc) rate their organisations as pioneers.
A majority (75pc) say they want to try out innovative new tools. However, in practice, they are guided by their industry peers, as almost half (46pc) benchmarking their buying decisions against other companies in their sector. This may lead CISOs to err on the side of proven known technology rather than trying something new.
Comments
James Legg, CEO at Thycotic said: “Our study clearly shows that before CISOs’ can pursue technology innovation they must first educate their stakeholders about the value of cybersecurity. Securing boardroom investment requires them to strike a delicate balance between innovation and compliance.”
And Terence Jackson, CISO for Thycotic said there was still some way to go. “The fact boards mainly approve investments after a security incident or through fear of regulatory penalties for non-compliance shows that cybersecurity investment decisions are more about insurance than about any desire to lead the field which, in the long run, limits the industry’s ability to keep pace with the cybercriminals.”
About the survey
The CISO Decisions online survey was among 908 senior IT security decision makers working within organisations with 500-plus employees; from nine countries: USA; UK; Germany; Australia; New Zealand; France; Spain; Singapore and Malaysia. The interviews were by Sapio Research in August.
